feat(authelia): 4.34.0 (#133)

charts/authelia/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.8.4
+version: 0.8.5
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application
@@ -23,6 +23,6 @@ maintainers:
     email: [email protected]
     url: https://github.com/james-d-elliott
 icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4
-appVersion: 4.33.2
+appVersion: 4.34.0
 deprecated: false
 annotations: {}

charts/authelia/templates/configMap.yaml

@@ -22,6 +22,8 @@ data:
       {{- if not (eq "" (default "" .Values.configMap.server.path)) }}
       path: {{ .Values.configMap.server.path }}
       {{- end }}
+      headers:
+        csp_template: {{ .Values.configMap.server.headers.csp_template | default "" }}
       read_buffer_size: {{ default 4096 .Values.configMap.server.read_buffer_size }}
       write_buffer_size: {{ default 4096 .Values.configMap.server.write_buffer_size }}
       enable_pprof: {{ default false .Values.configMap.server.enable_pprof }}
@@ -34,11 +36,26 @@ data:
       keep_stdout: true
       {{- end }}
     totp:
+      {{- if eq .Values.configMap.totp.disable true }}
+      disable: true
+      {{- else }}
+      disable: false
       issuer: {{ default .Values.domain .Values.configMap.totp.issuer }}
       algorithm: {{ default "sha1" .Values.configMap.totp.algorithm }}
       digits: {{ default 6 .Values.configMap.totp.digits }}
       period: {{ default 30 .Values.configMap.totp.period }}
       skew: {{ default 1 .Values.configMap.totp.skew }}
+      {{- end }}
+    webauthn:
+      {{- if eq .Values.configMap.webauthn.disable true }}
+      disable: true
+      {{- else }}
+      disable: false
+      display_name: {{ .Values.configMap.webauthn.display_name | default "Authelia" }}
+      attestation_conveyance_preference: {{ .Values.configMap.webauthn.attestation_conveyance_preference | default "indirect" }}
+      user_verification: {{ .Values.configMap.webauthn.user_verification | default "preferred" }}
+      timeout: {{ .Values.configMap.webauthn.timeout | default "60s" }}
+      {{- end }}
     ntp:
       address: {{ default "time.cloudflare.com:123" .Values.configMap.ntp.address }}
       version: {{ default 3 .Values.configMap.ntp.version }}
@@ -205,6 +222,8 @@ data:
         authorize_code_lifespan: {{ default "1m" .Values.configMap.identity_providers.oidc.authorize_code_lifespan }}
         id_token_lifespan: {{ default "1h" .Values.configMap.identity_providers.oidc.id_token_lifespan }}
         refresh_token_lifespan: {{ default "90m" .Values.configMap.identity_providers.oidc.refresh_token_lifespan }}
+        enforce_pkce: {{ .Values.configMap.identity_providers.oidc.enforce_pkce | default "public_clients_only" }}
+        enable_pkce_plain_challenge: {{ .Values.configMap.identity_providers.oidc.enable_pkce_plain_challenge | default false }}
         enable_client_debug_messages: {{ default false .Values.configMap.identity_providers.oidc.enable_client_debug_messages }}
         minimum_parameter_entropy: {{ default 8 .Values.configMap.identity_providers.oidc.minimum_parameter_entropy }}
         {{- if gt (len .Values.configMap.identity_providers.oidc.clients) 0 }}

charts/authelia/values.local.yaml

@@ -19,7 +19,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.33.2
+  tag: 4.34.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -408,6 +408,12 @@ configMap:
     ##
     port: 9091
 
+    ## Customize Authelia headers.
+    headers:
+      ## Read the Authelia docs before setting this advanced option.
+      ## https://www.authelia.com/docs/configuration/server.html#csp_template.
+      csp_template: ""
+
     ## Buffers usually should be configured to be the same value.
     ## Explanation at https://www.authelia.com/docs/configuration/server.html
     ## Read buffer size adjusts the server's max incoming request size in bytes.
@@ -445,17 +451,19 @@ configMap:
   ##
   ## TOTP Configuration
   ##
-  ## Parameters used for TOTP generation
+  ## Parameters used for TOTP generation.
   totp:
-    ## The issuer name displayed in the Authenticator application of your choice
-    ## See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
+    ## Disable TOTP.
+    disable: false
+
+    ## The issuer name displayed in the Authenticator application of your choice.
     ## Defaults to <domain>.
     issuer: ""
 
     ## The TOTP algorithm to use.
     ## It is CRITICAL you read the documentation before changing this option:
     ## https://www.authelia.com/docs/configuration/one-time-password.html#algorithm
-    algorithm: "sha1"
+    algorithm: sha1
 
     ## The number of digits a user has to input. Must either be 6 or 8.
     ## Changing this option only affects newly generated TOTP configurations.
@@ -472,6 +480,28 @@ configMap:
     ## See: https://www.authelia.com/docs/configuration/one-time-password.html#period-and-skew to read the documentation.
     skew: 1
 
+  ##
+  ## WebAuthn Configuration
+  ##
+  ## Parameters used for WebAuthn.
+  webauthn:
+    ## Disable Webauthn.
+    disable: false
+
+    ## Adjust the interaction timeout for Webauthn dialogues.
+    timeout: 60s
+
+    ## The display name the browser should show the user for when using Webauthn to login/register.
+    display_name: Authelia
+
+    ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
+    ## Options are none, indirect, direct.
+    attestation_conveyance_preference: indirect
+
+    ## User verification controls if the user must make a gesture or action to confirm they are present.
+    ## Options are required, preferred, discouraged.
+    user_verification: preferred
+
   ##
   ## NTP Configuration
   ##
@@ -981,6 +1011,14 @@ configMap:
       id_token_lifespan: 1h
       refresh_token_lifespan: 90m
 
+      ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
+      ## For security reasons it's recommended this option is public_clients_only or always, however always is not
+      ## compatible with all clients.
+      enforce_pkce: public_clients_only
+
+      ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
+      enable_pkce_plain_challenge: false
+
       enable_client_debug_messages: false
 
       ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for

charts/authelia/values.yaml

@@ -18,7 +18,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.33.2
+  tag: 4.34.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -406,6 +406,12 @@ configMap:
     ##
     port: 9091
 
+    ## Customize Authelia headers.
+    headers:
+      ## Read the Authelia docs before setting this advanced option.
+      ## https://www.authelia.com/docs/configuration/server.html#csp_template.
+      csp_template: ""
+
     ## Buffers usually should be configured to be the same value.
     ## Explanation at https://www.authelia.com/docs/configuration/server.html
     ## Read buffer size adjusts the server's max incoming request size in bytes.
@@ -443,17 +449,19 @@ configMap:
   ##
   ## TOTP Configuration
   ##
-  ## Parameters used for TOTP generation
+  ## Parameters used for TOTP generation.
   totp:
-    ## The issuer name displayed in the Authenticator application of your choice
-    ## See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
+    ## Disable TOTP.
+    disable: false
+
+    ## The issuer name displayed in the Authenticator application of your choice.
     ## Defaults to <domain>.
     issuer: ""
 
     ## The TOTP algorithm to use.
     ## It is CRITICAL you read the documentation before changing this option:
     ## https://www.authelia.com/docs/configuration/one-time-password.html#algorithm
-    algorithm: "sha1"
+    algorithm: sha1
 
     ## The number of digits a user has to input. Must either be 6 or 8.
     ## Changing this option only affects newly generated TOTP configurations.
@@ -470,6 +478,28 @@ configMap:
     ## See: https://www.authelia.com/docs/configuration/one-time-password.html#period-and-skew to read the documentation.
     skew: 1
 
+  ##
+  ## WebAuthn Configuration
+  ##
+  ## Parameters used for WebAuthn.
+  webauthn:
+    ## Disable Webauthn.
+    disable: false
+
+    ## Adjust the interaction timeout for Webauthn dialogues.
+    timeout: 60s
+
+    ## The display name the browser should show the user for when using Webauthn to login/register.
+    display_name: Authelia
+
+    ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
+    ## Options are none, indirect, direct.
+    attestation_conveyance_preference: indirect
+
+    ## User verification controls if the user must make a gesture or action to confirm they are present.
+    ## Options are required, preferred, discouraged.
+    user_verification: preferred
+
   ##
   ## NTP Configuration
   ##
@@ -984,6 +1014,14 @@ configMap:
       id_token_lifespan: 1h
       refresh_token_lifespan: 90m
 
+      ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
+      ## For security reasons it's recommended this option is public_clients_only or always, however always is not
+      ## compatible with all clients.
+      enforce_pkce: public_clients_only
+
+      ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
+      enable_pkce_plain_challenge: false
+
       enable_client_debug_messages: false
 
       ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for